In my experience your application has to be run setuid root in order to authentication other users (as it must load PAM, which must be able to read /etc/shadow, or other auth sources as the case may be). I would suggest that this is still better than using a custom setuid program to directly compare against /etc/shadow as you gain the modularity of later moving users into your database, ldap, ... fill in the blank... ;)
Well, running as root is not really desirable - otherwise I could use getspnam() directly, to rad the encrypted password out of /etc/shadow
I will repeat: "I would suggest that this is still better than using a custom setuid program to directly compare against /etc/shadow as you gain the modularity of later moving users into your database, ldap, ... fill in the blank... ;)"
is there really no way to use PAM to check for a valid password, without doing anythign else?
Think of it this way - if any application could verify passwords through pam without requiring root permission, what would prevent a user from running an interative password guessing program? If something is going to validate a user as 'authenticated' it must be root, any less is a security risk. If you write a small command line app that does this setuid root, and call it from your other app you are not any more insecure than someone repeatedly connecting to your system and guessing passwords (assuming no odd bugs in your command line app, but kept simple this should be easy).
Nate
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
